diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
index f168240e91..38976a0a64 100644
--- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, WMIC Uninstall Product, Raccine Uninstall, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, WMIC Uninstall Product, MalwareBytes Uninstallation, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, WMIC Uninstall Product, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
index 58a79f4a28..70027a1f85 100644
--- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Rundll32.exe Execution, CMSTP Execution, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Mshta Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, xWizard Execution, Equation Group DLL_U Load, Suspicious Control Process, MavInject Process Injection"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CMSTP Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, xWizard Execution, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, Mshta JavaScript Execution, Equation Group DLL_U Load, Control Panel Items, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
index ebbd8c6111..277aa654c2 100644
--- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Citrix NetScaler / ADC [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Citrix NetScaler / ADC [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
index 5b45ac1611..a1351ae60f 100644
--- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Rundll32.exe Execution, CMSTP Execution, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Mshta Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, xWizard Execution, Equation Group DLL_U Load, Suspicious Control Process, MavInject Process Injection"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CMSTP Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, xWizard Execution, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, Mshta JavaScript Execution, Equation Group DLL_U Load, Control Panel Items, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
index 64320c3f42..a767929ba9 100644
--- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Alert, SquirrelWaffle Malspam Execution Loading DLL, Microsoft 365 Defender Cloud App Security Alert, IcedID Execution Using Excel, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft 365 Defender For Endpoint Alert, Microsoft 365 Defender Alert, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, Microsoft 365 Defender Cloud App Security Alert, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Reverse Shell Detection, Powershell Web Request, PowerShell Downgrade Attack, Microsoft Defender for Office 365 Alert, Socat Relaying Socket, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Microsoft 365 Defender For Endpoint Alert, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft 365 Defender Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Alert, Usage Of Sysinternals Tools, PsExec Process, Microsoft 365 Defender Cloud App Security Alert, Winword wrong parent, Wininit Wrong Parent, Winrshost Wrong Parent, Microsoft 365 Defender Alert, Microsoft 365 Defender For Endpoint Alert, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Windows Update LolBins, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled Service, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled Service, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Wininit Wrong Parent, New Service Creation, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Wininit Wrong Parent, New Service Creation, Suspicious Commands From MS SQL Server Shell, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Explorer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Winword wrong parent, Wininit Wrong Parent, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Ursnif Registry Key, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Download Files From Suspicious TLDs, Microsoft Defender for Office 365 Alert, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, Microsoft 365 Defender Alert, Microsoft 365 Defender Cloud App Security Alert, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Microsoft 365 Defender For Endpoint Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Alert, PowerShell EncodedCommand, Socat Relaying Socket, Microsoft 365 Defender Alert, Koadic Execution, Powershell Web Request, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft 365 Defender For Endpoint Alert, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Suspicious Windows Script Execution, Microsoft 365 Defender Cloud App Security Alert, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Alert, Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Winword wrong parent, Suspicious DNS Child Process, PsExec Process, Microsoft 365 Defender Alert, Windows Update LolBins, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments, Microsoft 365 Defender Cloud App Security Alert, Wininit Wrong Parent, Microsoft 365 Defender For Endpoint Alert"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Disabled Service, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled Service, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, Winrshost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, Winrshost Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent, Wininit Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent, Suspicious DNS Child Process, PsExec Process, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification, NjRat Registry Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
index f336416e5c..e2dda548e1 100644
--- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
index 60040a2598..e701bf4e8d 100644
--- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Apex One [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Rundll32.exe Execution, CMSTP Execution, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Mshta Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, xWizard Execution, Equation Group DLL_U Load, Suspicious Control Process, MavInject Process Injection"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Apex One [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Ngrok Process Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CMSTP Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, xWizard Execution, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, Mshta JavaScript Execution, Equation Group DLL_U Load, Control Panel Items, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
index e00ee9aefb..20a7d145f8 100644
--- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Success, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, SentinelOne EDR User Failed To Log In To The Management Console, Download Files From Suspicious TLDs, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR SSO User Added, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Threat Detected (Suspicious), Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Agent Disabled, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Default Encoding To UTF-8 PowerShell, SentinelOne EDR SSO User Added, SentinelOne EDR User Logged In To The Management Console, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Threat Mitigation Report Remediate Success, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Lazarus Loaders, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Failed To Log In To The Management Console, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Usage Of Procdump With Common Arguments, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR SSO User Added, SolarWinds Wrong Child Process, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, WMIC Uninstall Product, Raccine Uninstall, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Package Manager Alteration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CMSTP UAC Bypass via COM Object Access, MavInject Process Injection"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Agent Disabled, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Kill Success, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Agent Disabled, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, Suspicious Cmd.exe Command Line, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Custom Rule Alert, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Suspicious), Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Agent Disabled, Usage Of Procdump With Common Arguments, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Kill Success, SolarWinds Wrong Child Process, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, WMIC Uninstall Product, MalwareBytes Uninstallation, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Package Manager Alteration, WMIC Uninstall Product, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, MavInject Process Injection, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
index 1226d3ba67..7db792e688 100644
--- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
index 5ad413aaec..6adcbddce4 100644
--- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Windows Update LolBins, Suspicious DNS Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, New Service Creation, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, New Service Creation, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Explorer Wrong Parent"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, PowerShell Download From URL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent, Suspicious DNS Child Process, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent, Suspicious DNS Child Process, PsExec Process, Windows Update LolBins, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
index 1e74ed9d23..7d0c4038a3 100644
--- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, WMIC Uninstall Product, Raccine Uninstall, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Venom Multi-hop Proxy agent detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, WMIC Uninstall Product, MalwareBytes Uninstallation, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Suspicious Driver Loaded, WMIC Uninstall Product, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, FlowCloud Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
index 3e5ba12bd6..46a68d2d46 100644
--- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, WMIC Uninstall Product, Raccine Uninstall, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, WMIC Uninstall Product, MalwareBytes Uninstallation, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, WMIC Uninstall Product, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
index 0573405137..2ebe87c30f 100644
--- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
index 9dc4ffa496..e29494ff89 100644
--- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
index 5fcdd03f62..4b093fe5f9 100644
--- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
index 52d97021ab..3fa180658f 100644
--- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, WMIC Uninstall Product, Raccine Uninstall, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, WMIC Uninstall Product, MalwareBytes Uninstallation, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, WMIC Uninstall Product, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
index 31ff7447f2..884a9b5f2c 100644
--- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Informational Severity, SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection Medium Severity, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Low Severity, Winword Document Droppers, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, CrowdStrike Falcon Intrusion Detection Informational Severity, MalwareBytes Uninstallation, WMIC Uninstall Product, CrowdStrike Falcon Intrusion Detection Medium Severity, Suspicious Taskkill Command, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Intrusion Detection Low Severity, Python Offensive Tools and Packages, CrowdStrike Falcon Intrusion Detection Critical Severity, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Intrusion Detection High Severity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, CrowdStrike Falcon Intrusion Detection, Microsoft Office Spawning Script"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, CrowdStrike Falcon Intrusion Detection Informational Severity, PsExec Process, CrowdStrike Falcon Intrusion Detection Medium Severity, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Windows Update LolBins, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, CrowdStrike Falcon Intrusion Detection, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Ngrok Process Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection Critical Severity, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Low Severity, PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, QakBot Process Creation, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, CrowdStrike Falcon Intrusion Detection Medium Severity, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), CrowdStrike Falcon Intrusion Detection Informational Severity, Suspicious Outlook Child Process, Elise Backdoor, Suspicious Windows Script Execution, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, CrowdStrike Falcon Intrusion Detection Low Severity, Winword wrong parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, CrowdStrike Falcon Intrusion Detection, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, CrowdStrike Falcon Intrusion Detection High Severity, Wmiprvse Wrong Parent, Logonui Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Rare Lsass Child Found, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Searchprotocolhost Child Found, Spoolsv Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
index 6faadaa891..c8162ead51 100644
--- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
index 8757700244..3e0d450a6b 100644
--- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Sliver DNS Beaconing, Python HTTP Server, Chafer (APT 39) Activity, Suspicious LDAP-Attributes Used, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Jumpcloud Policy Modified, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, HarfangLab EDR Low Level Rule Detection, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, HarfangLab EDR Low Level Rule Detection, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, Turla Named Pipes, WMIC Uninstall Product, Suspicious DLL Loaded Via Office Applications, PowerShell Invoke Expression With Registry, In-memory PowerShell, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Suspicious Taskkill Command, QakBot Process Creation, Mustang Panda Dropper, Suspicious Windows Script Execution, Venom Multi-hop Proxy agent detection, WMI DLL Loaded Via Office, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Scripting In A WMI Consumer, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, Invoke-TheHash Commandlets, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, FromBase64String Command Line, Koadic Execution, WMImplant Hack Tool, Malicious PowerShell Keywords, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, PowerShell Credential Prompt, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell - NTFS Alternate Data Stream, Alternate PowerShell Hosts Pipe, Microsoft Office Spawning Script, Detection of default Mimikatz banner, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Suspicious HWP Child Process, Audit CVE Event, Antivirus Password Dumper Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, WMI DLL Loaded Via Office, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service, Privileged AD Builtin Group Modified, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Active Directory Replication User Backdoor"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH X11 Forwarding, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SSH Tunnel Traffic, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Turla Named Pipes, PowerShell Invoke Expression With Registry, In-memory PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, FromBase64String Command Line, WMImplant Hack Tool, Malicious PowerShell Keywords, PowerShell Credential Prompt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Alternate PowerShell Hosts Pipe, PowerShell - NTFS Alternate Data Stream, Detection of default Mimikatz banner"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Eventlog Cleared, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Malware Protection Engine Crash, Debugging Software Deactivation, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Python Opening Ports, Powershell AMSI Bypass, Suspect Svchost Memory Access, Netsh Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Disable SecurityHealth, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line, Rubeus Register New Logon Process, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Malware Protection Engine Crash, Debugging Software Deactivation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Services, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Disable Task Manager Through Registry Key, Raccine Uninstall, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, RDP Port Change Using Powershell, DHCP Callout DLL Installation, RedMimicry Winnti Playbook Registry Manipulation, Remote Registry Management Using Reg Utility, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, NetNTLM Downgrade Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Mustang Panda Dropper, Suspicious Cmd.exe Command Line, Lazarus Loaders, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, Gpscript Suspicious Parent, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, StoneDrill Service Install, Malicious Service Installations, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Rare Logonui Child Found, APT29 Fake Google Update Service Install, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, Gpscript Suspicious Parent, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, StoneDrill Service Install, Malicious Service Installations, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Rare Logonui Child Found, APT29 Fake Google Update Service Install, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, Suspicious PsExec Execution, Gpscript Suspicious Parent, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, Smss Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Metasploit PSExec Service Creation, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Smbexec.py Service Installation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, Suspicious PsExec Execution, Gpscript Suspicious Parent, PsExec Process, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Suspicious DNS Child Process, Smss Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Metasploit PSExec Service Creation, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Smbexec.py Service Installation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File, Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Process Herpaderping, Svchost Wrong Parent, Malicious Named Pipe, Suspicious Process Requiring DLL Starts Without DLL, Process Hollowing Detection, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Cobalt Strike Named Pipes, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz LSASS Memory Access, Process Memory Dump Using Rdrleakdiag, DCSync Attack, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names, Active Directory Replication from Non Machine Account, Cred Dump Tools Dropped Files, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, Active Directory Database Dump Via Ntdsutil, Lsass Access Through WinRM, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Password Dumper Activity On LSASS, SAM Registry Hive Handle Request, NetNTLM Downgrade Attack, Malicious Service Installations, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Credential Dumping-Tools Common Named Pipes, Transfering Files With Credential Data Via Network Shares, DPAPI Domain Backup Key Extraction, RedMimicry Winnti Playbook Dropped File, WCE wceaux.dll Creation, Unsigned Image Loaded Into LSASS Process, Impacket Secretsdump.py Tool, LSASS Memory Dump, Credential Dumping By LaZagne, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, LSASS Access From Non System Account, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, Dumpert LSASS Process Dumper, Process Memory Dump Using Rdrleakdiag, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Credential Dumping By LaZagne, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, LSASS Access From Non System Account, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMImplant Hack Tool, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMI DLL Loaded Via Office, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 1, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, SCM Database Privileged Operation, SCM Database Handle Failure"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Execution From Suspicious Folder"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Denied Access To Remote Desktop"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Admin Share Access, MMC Spawning Windows Shell, Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, Lsass Access Through WinRM, Denied Access To Remote Desktop, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, RDP Login From Localhost"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dumping-Tools Common Named Pipes, RedMimicry Winnti Playbook Dropped File, Cred Dump Tools Dropped Files, SAM Registry Hive Handle Request, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Lateral Movement - Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Startup Add-In, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Jumpcloud Policy Modified"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Winword Document Droppers, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Winword Document Droppers, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Microsoft Defender Antivirus Threat Detected, Koadic Execution, FromBase64String Command Line, Powershell Web Request, PowerShell - NTFS Alternate Data Stream, QakBot Process Creation, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Alternate PowerShell Hosts Pipe, SquirrelWaffle Malspam Execution Loading DLL, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, In-memory PowerShell, Mshta Suspicious Child Process, Suspicious Scripting In A WMI Consumer, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious DLL Loaded Via Office Applications, Turla Named Pipes, Suspicious Taskkill Command, Detection of default Mimikatz banner, PowerShell Credential Prompt, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Venom Multi-hop Proxy agent detection, Malicious PowerShell Keywords, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Specific, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Putty Sessions Listing, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, WMI DLL Loaded Via Office, XSL Script Processing And SquiblyTwo Attack, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Denied Access To Remote Desktop"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, Active Directory User Backdoors, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH Tunnel Traffic, SOCKS Tunneling Tool, Netsh Port Forwarding, SSH X11 Forwarding, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, FromBase64String Command Line, Powershell Web Request, PowerShell - NTFS Alternate Data Stream, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, In-memory PowerShell, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Turla Named Pipes, Detection of default Mimikatz banner, PowerShell Credential Prompt, DNS Exfiltration and Tunneling Tools Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Powershell AMSI Bypass, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspect Svchost Memory Access, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Disable Security Events Logging Adding Reg Key MiniNt, Ryuk Ransomware Command Line, Python Opening Ports, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Configuration Changed, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Exclusion Configuration, Disable Windows Defender Credential Guard, TrustedInstaller Impersonation, Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetNTLM Downgrade Attack, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Configuration Changed, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Disable Windows Defender Credential Guard, TrustedInstaller Impersonation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command, Python Opening Ports"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, NetNTLM Downgrade Attack, FlowCloud Malware, DNS ServerLevelPluginDll Installation, Chafer (APT 39) Activity, Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Ursnif Registry Key, Suspicious New Printer Ports In Registry, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Disable Security Events Logging Adding Reg Key MiniNt, Blue Mockingbird Malware, Remote Registry Management Using Reg Utility, OceanLotus Registry Activity"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Change Default File Association, WMI Event Subscription, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Control Panel Items, Dynwrapx Module Loading, Explorer Process Executing HTA File"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Malicious Service Installations, Dllhost Wrong Parent, Taskhost Wrong Parent, APT29 Fake Google Update Service Install, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, StoneDrill Service Install, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Malicious Service Installations, Dllhost Wrong Parent, Taskhost Wrong Parent, APT29 Fake Google Update Service Install, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, StoneDrill Service Install, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Malicious Service Installations, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Suspicious PsExec Execution, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Metasploit PSExec Service Creation, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Malicious Service Installations, Windows Update LolBins, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Suspicious PsExec Execution, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Metasploit PSExec Service Creation, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Smss Wrong Parent, Process Herpaderping, Explorer Wrong Parent, Wmiprvse Wrong Parent, CreateRemoteThread Common Process Injection, Searchindexer Wrong Parent, Cobalt Strike Named Pipes, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Malicious Named Pipe, Dynwrapx Module Loading, Spoolsv Wrong Parent, Process Hollowing Detection, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Credential Dumping By LaZagne, Cmdkey Cached Credentials Recon, Malicious Service Installations, SAM Registry Hive Handle Request, DCSync Attack, Lsass Access Through WinRM, Wdigest Enable UseLogonCredential, Credential Dumping-Tools Common Named Pipes, Dumpert LSASS Process Dumper, Suspicious SAM Dump, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, LSASS Memory Dump File Creation, DPAPI Domain Backup Key Extraction, Copying Browser Files With Credentials, HackTools Suspicious Process Names, Unsigned Image Loaded Into LSASS Process, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, HackTools Suspicious Process Names In Command Line, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Dropped File, LSASS Memory Dump, Mimikatz LSASS Memory Access, Impacket Secretsdump.py Tool, Password Dumper Activity On LSASS, Active Directory Replication from Non Machine Account, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, LSASS Access From Non System Account, Transfering Files With Credential Data Via Network Shares, Active Directory Database Dump Via Ntdsutil, Rubeus Tool Command-line, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Dumpert LSASS Process Dumper, LSASS Memory Dump File Creation, Process Memory Dump Using Rdrleakdiag, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Credential Dumping By LaZagne, LSASS Access From Non System Account, Unsigned Image Loaded Into LSASS Process, Process Memory Dump Using Createdump, LSASS Memory Dump, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Password Dumper Activity On LSASS, Credential Dumping Tools Service Execution, Windows Credential Editor Registry Key"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, Invoke-TheHash Commandlets, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, WMI DLL Loaded Via Office, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, AD User Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, SCM Database Handle Failure, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, NlTest Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Execution From Suspicious Folder, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', RTLO Character"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, RDP Login From Localhost, Protected Storage Service Access, RDP Port Change Using Powershell, Denied Access To Remote Desktop, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell, Smbexec.py Service Installation, Admin Share Access, Lateral Movement - Remote Named Pipe, MMC20 Lateral Movement"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Suspicious SAM Dump, Cred Dump Tools Dropped Files, Copying Browser Files With Credentials, RedMimicry Winnti Playbook Dropped File, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access, Lateral Movement - Remote Named Pipe"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Remote Registry Management Using Reg Utility, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Dynwrapx Module Loading, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
index 5e004f9cd1..a21257ede5 100644
--- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
index 32662200e6..7013dd9c9d 100644
--- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Sliver DNS Beaconing, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Audit CVE Event, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Ursnif Registry Key, Blue Mockingbird Malware"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Ngrok Process Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Microsoft Defender Antivirus Threat Detected, Koadic Execution, Powershell Web Request, QakBot Process Creation, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Audit CVE Event"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
index 503c226a19..2ef3ea0d0e 100644
--- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x VMware ESXi [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, WMIC Uninstall Product, Raccine Uninstall, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x VMware ESXi [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Python HTTP Server, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, WMIC Uninstall Product, MalwareBytes Uninstallation, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, WMIC Uninstall Product, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
index 9b0495876c..28c5ea4002 100644
--- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ESA [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ESA [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
index ebf692ccdf..937f31fcc1 100644
--- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
index 72d090909a..9ed09ddc68 100644
--- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, HarfangLab EDR Process Execution Blocked, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Sysmon Windows File Block Executable, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Level Rule Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, HarfangLab EDR Low Level Rule Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Tampering Detected, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, Blue Mockingbird Malware"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Critical Level Rule Detection, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, HarfangLab EDR Critical Level Rule Detection, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Winword Document Droppers, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Microsoft Defender Antivirus Threat Detected, Koadic Execution, Powershell Web Request, QakBot Process Creation, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, HackTools Suspicious Process Names, Cmdkey Cached Credentials Recon, Process Memory Dump Using Createdump, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, FlowCloud Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
index ec90192d25..84d6ce8b90 100644
--- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS GuardDuty [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS GuardDuty [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
index aae153e86e..1cf12ddf04 100644
--- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection, Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR Application Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
index 8533aa06e6..54496398e5 100644
--- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
index fa0a5a2b26..3d3cee2ef4 100644
--- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, Suspicious DNS Child Process, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Spawning Script"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Autorun Keys Modification, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Load Of dbghelp/dbgcore DLL From Suspicious Process, Copying Browser Files With Credentials"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Ursnif Registry Key, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, FoggyWeb HTTP Default GET/POST Requests, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, QakBot Process Creation, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
index 8ae6826843..0101ed45fa 100644
--- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Terminate, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Blocked"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Quarantined"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
index 099b2ed2cc..cf1f15f0c1 100644
--- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
index 800dc7c10b..3116d37905 100644
--- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
index 63395932c6..e84a21ae49 100644
--- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Suspicious Windows DNS Queries, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Sliver DNS Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
index 43d52c9e88..f986733380 100644
--- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cato Networks SASE [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cato Networks SASE [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
index 948bc9d7db..1f499f036f 100644
--- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Spam But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Spam But Allowed, Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Phishing But Allowed, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
index f081f4b4f6..fe0f5487c8 100644
--- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
index 12193e8d5d..a65ed9246a 100644
--- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json
index b8be1a0ea1..0ab73d84da 100644
--- a/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Kubernetes Audit Log", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Kubernetes Audit Log", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
index 89018c98d4..b6afe6e95d 100644
--- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
index 83c75f66d1..c5363d9229 100644
--- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
index cb18f23a0c..ddabb26fa8 100644
--- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco NX-OS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Potential DNS Tunnel, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Reverse Shell Detection, Powershell Web Request, PowerShell Downgrade Attack, Socat Relaying Socket, Phorpiex DriveMgr Command, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled Service, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled Service, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Rundll32.exe Execution, CMSTP Execution, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Mshta Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, xWizard Execution, Equation Group DLL_U Load, Suspicious Control Process, MavInject Process Injection"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco NX-OS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Socat Relaying Socket, Koadic Execution, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Disabled Service, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled Service, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CMSTP Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, xWizard Execution, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, Mshta JavaScript Execution, Equation Group DLL_U Load, Control Panel Items, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
index 00854fd4ac..4201f5867a 100644
--- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
index 0d144aa74c..0e755ed2df 100644
--- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Disabled IE Security Features, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, WMIC Uninstall Product, Raccine Uninstall, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, WMIC Uninstall Product, MalwareBytes Uninstallation, Windows Firewall Changes, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, WMIC Uninstall Product, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Lazarus Loaders, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, Control Panel Items, Suspicious Windows Installer Execution, CertOC Loading Dll"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allowed Python Program, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
index 3924addd32..20537ab3d3 100644
--- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
index eeb3379ab1..97c51beab4 100644
--- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
index 7026307608..e82ac9fd36 100644
--- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub Outside Collaborator Detected"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
index 033263a580..4b9308e9eb 100644
--- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
index 60f435318d..33fb85410a 100644
--- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
index 630e59d2a0..3d593255b2 100644
--- a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, Suspicious DNS Child Process, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Spawning Script"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Load Of dbghelp/dbgcore DLL From Suspicious Process, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, FoggyWeb HTTP Default GET/POST Requests, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, QakBot Process Creation, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Winrshost Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action, NjRat Registry Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
index 0024853e5e..e947c3be43 100644
--- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, TEHTRIS EDR Alert"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, Elise Backdoor, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, TEHTRIS EDR Alert, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Rundll32.exe Execution, CMSTP Execution, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Mshta Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, xWizard Execution, Equation Group DLL_U Load, Suspicious Control Process, MavInject Process Injection"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, TEHTRIS EDR Alert, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, TEHTRIS EDR Alert, Koadic Execution, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CMSTP Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, xWizard Execution, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, Mshta JavaScript Execution, Equation Group DLL_U Load, Control Panel Items, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
index a049990f39..65de05512c 100644
--- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Python HTTP Server, Covenant Default HTTP Beaconing, Chafer (APT 39) Activity, TrevorC2 HTTP Communication, Suspicious LDAP-Attributes Used, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious HWP Child Process, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Download Files From Suspicious TLDs, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Suspicious HWP Child Process, Download Files From Non-Legitimate TLDs, Audit CVE Event, Antivirus Password Dumper Detection, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, HarfangLab EDR Low Level Rule Detection, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked, HarfangLab EDR Medium Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, HarfangLab EDR Low Level Rule Detection, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Python HTTP Server, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, TUN/TAP Driver Installation, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Suspicious TOR Gateway, Netsh Port Forwarding"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Network Connection Via Certutil, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files, Antivirus Web Shell Detection"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, RTLO Character, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Copy Of Legitimate System32 Executable, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Execution From Suspicious Folder"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, Turla Named Pipes, WMIC Uninstall Product, Suspicious DLL Loaded Via Office Applications, PowerShell Invoke Expression With Registry, In-memory PowerShell, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Suspicious Taskkill Command, QakBot Process Creation, Mustang Panda Dropper, Suspicious Windows Script Execution, Venom Multi-hop Proxy agent detection, WMI DLL Loaded Via Office, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Scripting In A WMI Consumer, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, Invoke-TheHash Commandlets, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious PowerShell Commandlets, Mshta Suspicious Child Process, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, FromBase64String Command Line, Koadic Execution, WMImplant Hack Tool, Malicious PowerShell Keywords, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, PowerShell Credential Prompt, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell - NTFS Alternate Data Stream, Alternate PowerShell Hosts Pipe, Microsoft Office Spawning Script, Detection of default Mimikatz banner, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Putty Sessions Listing, Suspicious Taskkill Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File, WMI DLL Loaded Via Office, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory User Backdoors, Password Change On Directory Service Restore Mode (DSRM) Account, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service, Privileged AD Builtin Group Modified, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Add User to Privileged Group, Active Directory Replication User Backdoor"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Turla Named Pipes, PowerShell Invoke Expression With Registry, In-memory PowerShell, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious XOR Encoded PowerShell Command Line, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, FromBase64String Command Line, WMImplant Hack Tool, Malicious PowerShell Keywords, PowerShell Credential Prompt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Bloodhound and Sharphound Tools Usage, Alternate PowerShell Hosts Pipe, PowerShell - NTFS Alternate Data Stream, Detection of default Mimikatz banner"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Eventlog Cleared, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, High Privileges Network Share Removal, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Malware Protection Engine Crash, Debugging Software Deactivation, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, TrustedInstaller Impersonation, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable Services, Ryuk Ransomware Command Line, Fail2ban Unban IP, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Python Opening Ports, Powershell AMSI Bypass, Suspect Svchost Memory Access, Netsh Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Disable SecurityHealth, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line, Rubeus Register New Logon Process, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Malware Protection Engine Crash, Debugging Software Deactivation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Services, Ryuk Ransomware Command Line, Fail2ban Unban IP, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable SecurityHealth, Disable Task Manager Through Registry Key, Raccine Uninstall, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, Netsh Allowed Python Program, Powershell AMSI Bypass, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, RDP Port Change Using Powershell, DHCP Callout DLL Installation, RedMimicry Winnti Playbook Registry Manipulation, Remote Registry Management Using Reg Utility, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, Suspicious New Printer Ports In Registry, RDP Sensitive Settings Changed, DNS ServerLevelPluginDll Installation, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, NetNTLM Downgrade Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, WMI Event Subscription, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Mustang Panda Dropper, Suspicious Cmd.exe Command Line, Lazarus Loaders, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, Gpscript Suspicious Parent, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, StoneDrill Service Install, Malicious Service Installations, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Rare Logonui Child Found, APT29 Fake Google Update Service Install, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, Gpscript Suspicious Parent, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, StoneDrill Service Install, Malicious Service Installations, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Rare Logonui Child Found, APT29 Fake Google Update Service Install, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, Suspicious PsExec Execution, Gpscript Suspicious Parent, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Suspicious DNS Child Process, Smss Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Metasploit PSExec Service Creation, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Smbexec.py Service Installation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, Suspicious PsExec Execution, Gpscript Suspicious Parent, PsExec Process, OneNote Suspicious Children Process, Microsoft Defender Antivirus Threat Detected, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wininit Wrong Parent, Windows Update LolBins, Suspicious DNS Child Process, Smss Wrong Parent, Malicious Service Installations, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, WMI Persistence Command Line Event Consumer, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Metasploit PSExec Service Creation, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Smbexec.py Service Installation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, OneNote Embedded File, Secure Deletion With SDelete, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchindexer Wrong Parent, CreateRemoteThread Common Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Process Herpaderping, Spoolsv Wrong Parent, Malicious Named Pipe, Wmiprvse Wrong Parent, Cobalt Strike Named Pipes, Taskhost Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Process Hollowing Detection, Dynwrapx Module Loading, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Autorun Keys Modification, DLL Load via LSASS Registry Key, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Mimikatz LSASS Memory Access, Process Memory Dump Using Rdrleakdiag, DCSync Attack, Mimikatz Basic Commands, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names, Active Directory Replication from Non Machine Account, Cred Dump Tools Dropped Files, Copying Browser Files With Credentials, Process Memory Dump Using Createdump, Process Trace Alteration, Dumpert LSASS Process Dumper, Active Directory Database Dump Via Ntdsutil, Lsass Access Through WinRM, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, Password Dumper Activity On LSASS, SAM Registry Hive Handle Request, NetNTLM Downgrade Attack, Malicious Service Installations, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Credential Dumping-Tools Common Named Pipes, Transfering Files With Credential Data Via Network Shares, DPAPI Domain Backup Key Extraction, RedMimicry Winnti Playbook Dropped File, WCE wceaux.dll Creation, Unsigned Image Loaded Into LSASS Process, Impacket Secretsdump.py Tool, LSASS Memory Dump, Credential Dumping By LaZagne, Rubeus Tool Command-line, NTDS.dit File In Suspicious Directory, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, LSASS Access From Non System Account, Load Of dbghelp/dbgcore DLL From Suspicious Process, Wdigest Enable UseLogonCredential, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Dynamic Linker Hijacking From Environment Variable, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, Dumpert LSASS Process Dumper, Process Memory Dump Using Rdrleakdiag, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Credential Dumping By LaZagne, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Windows Credential Editor Registry Key, LSASS Access From Non System Account, Credential Dumping-Tools Common Named Pipes, Password Dumper Activity On LSASS, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMImplant Hack Tool, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, WMI DLL Loaded Via Office, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 1, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, SCM Database Privileged Operation, SCM Database Handle Failure"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Denied Access To Remote Desktop"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Admin Share Access, MMC Spawning Windows Shell, Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement, Lsass Access Through WinRM, Denied Access To Remote Desktop, Remote Service Activity Via SVCCTL Named Pipe, Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, RDP Login From Localhost"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Credential Dumping-Tools Common Named Pipes, RedMimicry Winnti Playbook Dropped File, Cred Dump Tools Dropped Files, SAM Registry Hive Handle Request, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Cobalt Strike Default Service Creation Usage, Lateral Movement - Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Explorer Wrong Parent"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Outlook Registry Access, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Startup Add-In, Office Application Startup Office Test"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, Werfault DLL Injection, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DHCP Callout DLL Installation, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, WMI Event Subscription"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Stop Backup Services"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Koadic MSHTML Command, Suspicious LDAP-Attributes Used, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs, Antivirus Exploitation Framework Detection, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Microsoft Defender Antivirus Threat Detected, Download Files From Suspicious TLDs, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Winword Document Droppers, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, MS Office Product Spawning Exe in User Dir, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Winword Document Droppers, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Ngrok Process Execution"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, Suspicious Hostname"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution, Network Connection Via Certutil, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Execution From Suspicious Folder, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Microsoft Defender Antivirus Threat Detected, Koadic Execution, FromBase64String Command Line, Powershell Web Request, PowerShell - NTFS Alternate Data Stream, QakBot Process Creation, Trickbot Malware Activity, Mustang Panda Dropper, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Alternate PowerShell Hosts Pipe, SquirrelWaffle Malspam Execution Loading DLL, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, In-memory PowerShell, Mshta Suspicious Child Process, Suspicious Scripting In A WMI Consumer, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious DLL Loaded Via Office Applications, Turla Named Pipes, Suspicious Taskkill Command, Detection of default Mimikatz banner, PowerShell Credential Prompt, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Venom Multi-hop Proxy agent detection, Malicious PowerShell Keywords, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Specific, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Putty Sessions Listing, Remote Registry Management Using Reg Utility, Suspicious Taskkill Command"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution, WMI DLL Loaded Via Office, XSL Script Processing And SquiblyTwo Attack, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Admin User RDP Remote Logon, User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Denied Access To Remote Desktop"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Mimikatz Basic Commands, User Added to Local Administrators, Active Directory User Backdoors, Add User to Privileged Group, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Keywords, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, FromBase64String Command Line, Powershell Web Request, PowerShell - NTFS Alternate Data Stream, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Invoke-TheHash Commandlets, PowerShell Downgrade Attack, In-memory PowerShell, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Turla Named Pipes, Detection of default Mimikatz banner, PowerShell Credential Prompt, DNS Exfiltration and Tunneling Tools Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PowerShell Invocations - Generic, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disable Services, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, NetNTLM Downgrade Attack, Powershell AMSI Bypass, Disabled IE Security Features, Microsoft Defender Antivirus Tampering Detected, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspect Svchost Memory Access, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Disable Security Events Logging Adding Reg Key MiniNt, Ryuk Ransomware Command Line, Python Opening Ports, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Configuration Changed, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Exclusion Configuration, Disable Windows Defender Credential Guard, TrustedInstaller Impersonation, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services, Windows Defender Deactivation Using PowerShell Script, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetNTLM Downgrade Attack, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Configuration Changed, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Disable Windows Defender Credential Guard, TrustedInstaller Impersonation, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command, Python Opening Ports"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, NetNTLM Downgrade Attack, FlowCloud Malware, DNS ServerLevelPluginDll Installation, Chafer (APT 39) Activity, Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, RedMimicry Winnti Playbook Registry Manipulation, DHCP Callout DLL Installation, Ursnif Registry Key, Suspicious New Printer Ports In Registry, RDP Sensitive Settings Changed, Wdigest Enable UseLogonCredential, Disable Security Events Logging Adding Reg Key MiniNt, Blue Mockingbird Malware, Remote Registry Management Using Reg Utility, OceanLotus Registry Activity"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Change Default File Association, WMI Event Subscription, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Malspam Execution Registering Malicious DLL, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, Suspicious Desktopimgdownldr Execution, MavInject Process Injection, Control Panel Items, Dynwrapx Module Loading, Explorer Process Executing HTA File"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Malicious Service Installations, Dllhost Wrong Parent, Taskhost Wrong Parent, APT29 Fake Google Update Service Install, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, StoneDrill Service Install, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Malicious Service Installations, Dllhost Wrong Parent, Taskhost Wrong Parent, APT29 Fake Google Update Service Install, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, StoneDrill Service Install, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Malicious Service Installations, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Suspicious PsExec Execution, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Metasploit PSExec Service Creation, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Malicious Service Installations, Windows Update LolBins, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Suspicious PsExec Execution, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wininit Wrong Parent, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Gpscript Suspicious Parent, Taskhostw Wrong Parent, Winrshost Wrong Parent, Metasploit PSExec Service Creation, Searchprotocolhost Child Found, Spoolsv Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Smbexec.py Service Installation, Wsmprovhost Wrong Parent, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Herpaderping, Cobalt Strike Named Pipes, Taskhost Wrong Parent, Svchost Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Process Hollowing Detection, Wmiprvse Wrong Parent, Malicious Named Pipe, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Suspicious desktop.ini Action, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Malware Persistence Registry Key"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Credential Dumping By LaZagne, Cmdkey Cached Credentials Recon, Malicious Service Installations, SAM Registry Hive Handle Request, DCSync Attack, Lsass Access Through WinRM, Wdigest Enable UseLogonCredential, Credential Dumping-Tools Common Named Pipes, Dumpert LSASS Process Dumper, Suspicious SAM Dump, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, LSASS Memory Dump File Creation, DPAPI Domain Backup Key Extraction, Copying Browser Files With Credentials, Process Trace Alteration, HackTools Suspicious Process Names, Unsigned Image Loaded Into LSASS Process, Process Memory Dump Using Createdump, Load Of dbghelp/dbgcore DLL From Suspicious Process, HackTools Suspicious Process Names In Command Line, NetNTLM Downgrade Attack, RedMimicry Winnti Playbook Dropped File, LSASS Memory Dump, Mimikatz LSASS Memory Access, Impacket Secretsdump.py Tool, Password Dumper Activity On LSASS, Active Directory Replication from Non Machine Account, Windows Credential Editor Registry Key, Process Memory Dump Using Comsvcs, LSASS Access From Non System Account, Transfering Files With Credential Data Via Network Shares, Active Directory Database Dump Via Ntdsutil, Rubeus Tool Command-line, Mimikatz Basic Commands, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, Werfault DLL Injection, Windows Registry Persistence COM Search Order Hijacking, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Narrator Feedback-Hub Persistence, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Malware Persistence Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Dumpert LSASS Process Dumper, LSASS Memory Dump File Creation, Process Memory Dump Using Rdrleakdiag, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Credential Dumping By LaZagne, LSASS Access From Non System Account, Unsigned Image Loaded Into LSASS Process, Process Memory Dump Using Createdump, LSASS Memory Dump, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Password Dumper Activity On LSASS, Credential Dumping Tools Service Execution, Windows Credential Editor Registry Key"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module, Invoke-TheHash Commandlets, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, WMI DLL Loaded Via Office, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, AD User Enumeration"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, SCM Database Handle Failure, SCM Database Privileged Operation"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, PowerView commandlets 1, AdFind Usage, NlTest Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Phosphorus Domain Controller Discovery"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil, Impacket Secretsdump.py Tool, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, RDP Login From Localhost, Protected Storage Service Access, RDP Port Change Using Powershell, Denied Access To Remote Desktop, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell, Smbexec.py Service Installation, Admin Share Access, Lateral Movement - Remote Named Pipe, MMC20 Lateral Movement"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Suspicious SAM Dump, Cred Dump Tools Dropped Files, Copying Browser Files With Credentials, RedMimicry Winnti Playbook Dropped File, SAM Registry Hive Handle Request, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, DPAPI Domain Backup Key Extraction, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Cobalt Strike Default Service Creation Usage, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Admin Share Access, Lateral Movement - Remote Named Pipe"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Remote Registry Management Using Reg Utility, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Dynwrapx Module Loading, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
index 559c911176..2d4cef23d1 100644
--- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Darktrace Threat Visualizer [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Darktrace Threat Visualizer [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
index 6acdb4c105..07b9901b87 100644
--- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
index 66aff2d76d..8ddc304d8c 100644
--- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Spawning Script"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, Rare Lsass Child Found, Searchprotocolhost Child Found, Winword wrong parent, New Service Creation, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, Rare Lsass Child Found, Searchprotocolhost Child Found, Winword wrong parent, New Service Creation, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Rare Logonui Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Usage Of Sysinternals Tools, PsExec Process, Rare Lsass Child Found, Searchprotocolhost Child Found, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Rare Logonui Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Usage Of Sysinternals Tools, PsExec Process, Rare Lsass Child Found, Searchprotocolhost Child Found, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Windows Update LolBins, Suspicious DNS Child Process, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Ursnif Registry Key, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain In Command Line"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Ngrok Process Execution"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, QakBot Process Creation, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, PowerShell Download From URL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable .NET ETW Through COMPlus_ETWEnabled, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent, Rare Lsass Child Found, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent, Rare Lsass Child Found, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Winword wrong parent, Rare Lsass Child Found, PsExec Process, Suspicious DNS Child Process, Searchprotocolhost Child Found, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Winword wrong parent, Rare Lsass Child Found, PsExec Process, Suspicious DNS Child Process, Windows Update LolBins, Searchprotocolhost Child Found, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, FlowCloud Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
index f7ef01b3e8..8df2740c7f 100644
--- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Cybereason EDR Alert, PsExec Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Cybereason EDR Alert"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
index 957dc62969..7b90606a14 100644
--- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
index 402ae91f3c..eb854509c1 100644
--- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
index 4666887126..9f658576c0 100644
--- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
index ee30e6962e..b898977519 100644
--- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json
index f3aef968a5..ac9cf11d01 100644
--- a/_shared_content/operations_center/detection/generated/attack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x NetFlow", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x NetFlow", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
index 806cb0c0c5..6269394fe2 100644
--- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Rundll32.exe Execution, CMSTP Execution, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Mshta Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, xWizard Execution, Equation Group DLL_U Load, Suspicious Control Process, MavInject Process Injection"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CMSTP Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, xWizard Execution, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, Mshta JavaScript Execution, Equation Group DLL_U Load, Control Panel Items, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
index 26debc1df9..dc72e096b0 100644
--- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
index 5a6ef88e75..a7c02b3f53 100644
--- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Sliver DNS Beaconing"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
index b96268a26b..144aeb547c 100644
--- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
index 3b1a0b8e57..dee5dd3217 100644
--- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sysmon Windows File Block Executable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
index c567a4a880..c4098e6b34 100644
--- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Potential Ransomware Activity Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Potential Ransomware Activity Detected"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Failed Logon Source From Public IP Addresses, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Safelinks Disabled, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS New Country, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Filter Rule Deletion"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Safelinks Disabled, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Filter Rule Deletion"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified, Domain Trust Created Or Removed"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
index df73939b89..1103d4ee08 100644
--- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x OGO WAF [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x OGO WAF [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
index 60ad75cea3..65d9a329de 100644
--- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
index 9b8fd85677..6b8464e129 100644
--- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail Remove Flow logs, AWS CloudTrail Disable MFA, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail EC2 Security Group Modified"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Remove Flow logs, AWS CloudTrail Disable MFA, AWS CloudTrail EventBridge Rule Disabled Or Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Important Change, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Important Change, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
index fb75a4413f..98dc0bcc20 100644
--- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
index cb28766ded..3c7d0352b9 100644
--- a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, FlowCloud Malware, Ursnif Registry Key, RDP Sensitive Settings Changed, OceanLotus Registry Activity"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
index f8217fbfa1..7def63bdc1 100644
--- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default GET beaconing, Sliver DNS Beaconing, Detect requests to Konni C2 servers, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Bazar Loader DGA (Domain Generation Algorithm), Koadic MSHTML Command, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Sliver DNS Beaconing, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
index 9107d868fc..dce53cce27 100644
--- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
index 956a5ee9d6..0a83d9431a 100644
--- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
index 8b65ef3d6c..75f0f409e0 100644
--- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, Malware Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Malware Detected By Vade For M365, Spam Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
index 93c145a67f..b986268e2a 100644
--- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta Application modified, Okta User Impersonation Access, Okta Application deleted, Okta User Account Deactivated"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified, Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deleted, Okta Network Zone Deactivated"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Blacklist Manipulations, Okta Network Zone Modified, Okta Security Threat Configuration Updated, Okta Network Zone Deactivated, Okta MFA Disabled, Okta Network Zone Deleted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Impersonation Access, Okta Application deleted, Okta Application modified, Okta Admin Privilege Granted, Okta User Account Deactivated"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified, Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Modified, Okta Blacklist Manipulations, Okta Security Threat Configuration Updated, Okta Network Zone Deactivated, Okta MFA Disabled"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
index 2aad520f91..90bb88aa57 100644
--- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Reverse Shell Detection, Powershell Web Request, PowerShell Downgrade Attack, Socat Relaying Socket, Phorpiex DriveMgr Command, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled Service, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disabled Service, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Rclone Process, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Control Panel Items, Suspicious Rundll32.exe Execution, CMSTP Execution, Explorer Process Executing HTA File, AccCheckConsole Executing Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious Taskkill Command, Suspicious Mshta Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, xWizard Execution, Equation Group DLL_U Load, Suspicious Control Process, MavInject Process Injection"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, WMIC Uninstall Product, Elise Backdoor, Suspicious Taskkill Command, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Socat Relaying Socket, Koadic Execution, Powershell Web Request, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Python Offensive Tools and Packages, PowerShell Downgrade Attack, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Lazarus Loaders, Interactive Terminal Spawned via Python, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Relaying Socket, Exfiltration And Tunneling Tools Execution, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Allowed Python Program, Disabled Service, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SELinux Disabling, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled Service, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CMSTP Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, xWizard Execution, MavInject Process Injection, Suspicious Mshta Execution, CertOC Loading Dll, Mshta JavaScript Execution, Equation Group DLL_U Load, Control Panel Items, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Explorer Process Executing HTA File, Suspicious Control Process"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
index 37387419c1..dc500912af 100644
--- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x SonicWall Firewall [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x SonicWall Firewall [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
index ca5ee92d1d..6475e224bc 100644
--- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
index 620da7af05..477c472bd7 100644
--- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21985 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-21972 VMware vCenter, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, GitLab CVE-2021-22205, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Detect requests to Konni C2 servers"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
index b8e4954664..26e3429d6c 100644
--- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
+++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json
@@ -1 +1 @@
-{"name": "SEKOIA.IO x StormShield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Explorer Process Executing HTA File, IcedID Execution Using Excel, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command, Suspicious Outlook Child Process, QakBot Process Creation, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, PowerShell Downgrade Attack, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Default Encoding To UTF-8 PowerShell, Trickbot Malware Activity, DNS Exfiltration and Tunneling Tools Execution, Mshta Suspicious Child Process, Koadic Execution, AutoIt3 Execution From Suspicious Folder, XSL Script Processing And SquiblyTwo Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Lazarus Loaders, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Office Spawning Script"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Windows Firewall Changes, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, MalwareBytes Uninstallation, WMIC Uninstall Product, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Package Manager Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Using Registry, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh RDP Port Forwarding"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell Downgrade Attack"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, Control Panel Items, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Suspicious Cmd.exe Command Line, Lazarus Loaders"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Koadic Execution, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious Windows Script Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Equation Group DLL_U Load"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Suspicious Mshta Execution, Empire Monkey Activity, xWizard Execution, Control Panel Items, CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution, AccCheckConsole Executing Dll, MavInject Process Injection, Explorer Process Executing HTA File, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Control Process"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, OneNote Suspicious Children Process, New Service Creation, Searchindexer Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent, Winword wrong parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Csrss Child Found, PsExec Process, OneNote Suspicious Children Process, Searchindexer Wrong Parent, Csrss Wrong Parent, Lsass Wrong Parent, Windows Update LolBins, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Usage Of Sysinternals Tools, Winlogon wrong parent, Winword wrong parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Logonui Wrong Parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Userinit Wrong Parent, Svchost Wrong Parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Capture a network trace with netsh.exe"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Koadic Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Allowed Python Program, Windows Firewall Changes, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Opening, Netsh Port Forwarding, Netsh Allow Command, Netsh RDP Port Forwarding"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, Impacket Wmiexec Module, WMI Install Of Binary, Wmic Process Call Creation, Suspicious Mshta Execution From Wmi, Wmic Service Call, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Outlook Registry Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, Blue Mockingbird Malware"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
+{"name": "SEKOIA.IO x StormShield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious Double Extension, Suspicious Outlook Child Process, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Explorer Process Executing HTA File, Winword Document Droppers"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Pandemic Windows Implant, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Koadic Execution, Powershell Web Request, QakBot Process Creation, Trickbot Malware Activity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Phorpiex DriveMgr Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Sysprep On AppData Folder, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Outlook Child Process, Elise Backdoor, Suspicious Windows Script Execution, Suspicious PowerShell Invocations - Specific, Microsoft Office Spawning Script, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Clear EventLogs Through CommandLine, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, NetSh Used To Disable Windows Firewall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Windows Firewall Changes, Netsh Allow Command, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Port Forwarding, Package Manager Alteration, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Fail2ban Unban IP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Disable Task Manager Through Registry Key, Netsh Port Opening, MalwareBytes Uninstallation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, Mshta Suspicious Child Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Koadic Execution, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploited CVE-2020-10189 Zoho ManageEngine, Lazarus Loaders, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Control Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Mshta JavaScript Execution, Equation Group DLL_U Load, CMSTP UAC Bypass via COM Object Access, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Empire Monkey Activity, Suspicious Taskkill Command, Suspicious Regsvr32 Execution, MOFComp Execution, PowerShell Execution Via Rundll32, AccCheckConsole Executing Dll, CMSTP Execution, MavInject Process Injection, Control Panel Items, Explorer Process Executing HTA File"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Rare Logonui Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winlogon wrong parent, Wmiprvse Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Lsass Wrong Parent, Searchprotocolhost Wrong Parent, Smss Wrong Parent, Usage Of Sysinternals Tools, Rare Logonui Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Spoolsv Wrong Parent, Csrss Wrong Parent, Wsmprovhost Wrong Parent"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Trace Alteration, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, STRRAT Scheduled Task, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Cron Files Alteration, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Workstation Lock, FlowCloud Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, RDP Sensitive Settings Changed, Blue Mockingbird Malware, OceanLotus Registry Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]}
\ No newline at end of file
diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
index 61f3fa0e64..be23d6a427 100644
--- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md
@@ -1,4 +1,4 @@
-Rules catalog includes **760 built-in detection rules** ([_last update on 2023-10-11_](rules_changelog.md)).
+Rules catalog includes **762 built-in detection rules** ([_last update on 2023-10-11_](rules_changelog.md)).
 ## Reconnaissance
 **Gather Victim Network Information**
 
@@ -311,6 +311,12 @@ Rules catalog includes **760 built-in detection rules** ([_last update on 2023-1
     
 **Compromise Accounts**
 
+??? abstract "Cisco Identity Services Engine Configuration Changed"
+    
+    Cisco Identity Services Engine (ISE) has detected a device configuration changed (Added, Changed or Deleted). This should be reviewed in order to check if this an expected admin action.
+    
+    - **Effort:** master
+    
 ??? abstract "Microsoft Defender for Office 365 High Severity AIR Alert"
     
     Microsoft Defender for Office 365 includes the capability to run Automated investigation and response (AIR) actions. This rule detects when a High severity alert triggers an automated investigation, such as when a potentially malicious URL click was detected, or when a user is restricted from sending email.
@@ -339,6 +345,12 @@ Rules catalog includes **760 built-in detection rules** ([_last update on 2023-1
     
         - 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps
             
+??? abstract "Varonis Data Security Email Alert"
+    
+    Varonis Data Security has raised an alert related to a supervised email account.
+    
+    - **Effort:** master
+    
 **Obtain Capabilities**
 
 ??? abstract "Privilege Escalation Awesome Scripts (PEAS)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
index cdd4696acc..fa131fc044 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Google Kubernetes Engine** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Google Kubernetes Engine**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Google Kubernetes Engine on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json){ .md-button }
 ??? abstract "Address Space Layout Randomization (ASLR) Alteration"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
index 49f198a772..ceee3d4436 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Elastic AuditBeat Linux** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Elastic AuditBeat Linux**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Elastic AuditBeat Linux on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md
index fc848b64b9..0d62f17903 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Citrix NetScaler / ADC [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Citrix NetScaler / ADC [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Citrix NetScaler / ADC [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2018-11776 Apache Struts2"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
index 2d9c722b05..af1227f83a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **WithSecure Elements** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **WithSecure Elements**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x WithSecure Elements on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md
index 8ce6d2e860..500f58c468 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Google Report** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Google Report**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Google Report on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
index 0b18d9dbf2..f1427e1b72 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Microsoft 365 Defender** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Microsoft 365 Defender**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Microsoft 365 Defender on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md
index 03dd4bff64..cd1288f74a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **VMware vCenter** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **VMware vCenter**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x VMware vCenter on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
index 8c11498a69..fdf9a5e7f4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Trend Micro Apex One [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Trend Micro Apex One [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Trend Micro Apex One [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.md
index cf73706b5f..73fc2e2c63 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **AWS VPC Flow logs** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **AWS VPC Flow logs**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x AWS VPC Flow logs on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
index 3294d8b054..116fab6572 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **SentinelOne EDR** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **SentinelOne EDR**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x SentinelOne EDR on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json){ .md-button }
 ??? abstract "Address Space Layout Randomization (ASLR) Alteration"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.md
index 2b8f0ddbef..f16e6038d3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cloudflare HTTP requests** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cloudflare HTTP requests**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare HTTP requests on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
index ddf25cec19..76de5b3212 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cybereason EDR activity** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cybereason EDR activity**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cybereason EDR activity on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
index eff3332c8b..a0d8b686b9 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Crowdstrike Falcon Telemetry** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Crowdstrike Falcon Telemetry**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Crowdstrike Falcon Telemetry on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json){ .md-button }
 ??? abstract "Address Space Layout Randomization (ASLR) Alteration"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.md
index 8279ce597f..ba957faefd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Azure Linux [DEPRECATED]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Azure Linux [DEPRECATED]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Azure Linux [DEPRECATED] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json){ .md-button }
 ??? abstract "Address Space Layout Randomization (ASLR) Alteration"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.md
index c89e036c86..d6910e0cfc 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cloudflare WAF events** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cloudflare WAF events**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare WAF events on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.md
index 4bebb78893..f79b2fadf1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Microsoft Entra ID / Azure AD** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Microsoft Entra ID / Azure AD**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Microsoft Entra ID / Azure AD on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json){ .md-button }
 ??? abstract "Microsoft Entra ID (Azure AD) Abnormal Token"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.md
index c3f16d101f..1aa32e667b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **CEF** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **CEF**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x CEF on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
index 8d5c34a6fa..6263cf728a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **RSA SecurID** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **RSA SecurID**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x RSA SecurID on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json){ .md-button }
 ??? abstract "Address Space Layout Randomization (ASLR) Alteration"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
index 17a1bb1e98..047d994986 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **CrowdStrike Falcon** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **CrowdStrike Falcon**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x CrowdStrike Falcon on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.md
index 76814c4496..96394d6107 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cisco Secure Web Appliance** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cisco Secure Web Appliance**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco Secure Web Appliance on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
index a9b6f56b07..d7a94aacfc 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Sekoia.io Endpoint Agent** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Sekoia.io Endpoint Agent**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Sekoia.io Endpoint Agent on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json){ .md-button }
 ??? abstract "AD Object WriteDAC Access"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.md
index 94d697c7b6..35de68dedd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Fortinet FortiProxy** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Fortinet FortiProxy**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Fortinet FortiProxy on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
index 4948b7151b..b23898b50f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Azure Windows** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Azure Windows**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Azure Windows on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
index edcc819fe8..1de8465216 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **VMware ESXi [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **VMware ESXi [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x VMware ESXi [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json){ .md-button }
 ??? abstract "Address Space Layout Randomization (ASLR) Alteration"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md
index 760d2e7ab0..6a65cdf842 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cisco ESA [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cisco ESA [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco ESA [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.md
index ab16b5cfaf..19a6fd1313 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Sophos Firewall** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Sophos Firewall**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Sophos Firewall on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.md
index 5966dcbb6d..8b36f2a22f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **OpenLDAP [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **OpenLDAP [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x OpenLDAP [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
index 61e68fbea0..7f0ed40a3f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **HarfangLab EDR** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **HarfangLab EDR**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x HarfangLab EDR on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.md
index 801e8452f8..ec8ec30b89 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **AWS GuardDuty [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **AWS GuardDuty [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x AWS GuardDuty [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json){ .md-button }
 ??? abstract "AWS GuardDuty High Severity Alert"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.md
index cd7f22b341..07cda6a8a7 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Sophos EDR** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Sophos EDR**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Sophos EDR on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md
index d1e46b205a..2ae058daac 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Skyhigh Secure Web Gateway / McAfee Web Gateway** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Skyhigh Secure Web Gateway / McAfee Web Gateway**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
index 184c2a6763..1d6927c8c0 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **SentinelOne Cloud Funnel 2.0 [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **SentinelOne Cloud Funnel 2.0 [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md
index 41d7dbef21..71f14153c6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Broadcom/Symantec Endpoint Security** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Broadcom/Symantec Endpoint Security**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Broadcom/Symantec Endpoint Security on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.md
index cfdc131c92..74d5bdd338 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Sekoia.io activity logs** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Sekoia.io activity logs**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Sekoia.io activity logs on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2018-11776 Apache Struts2"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.md
index 270c581e2e..c1775dbde1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Google Cloud Audit Logs** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Google Cloud Audit Logs**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Google Cloud Audit Logs on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json){ .md-button }
 ??? abstract "Nimbo-C2 User Agent"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md
index 5040458953..2dd2041ca3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cisco Secure Firewall** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cisco Secure Firewall**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco Secure Firewall on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
index 256429a3e3..dc7f52f57c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cato Networks SASE [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cato Networks SASE [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cato Networks SASE [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.md
index a8d8c146fa..677f1241ff 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Proofpoint TAP** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Proofpoint TAP**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Proofpoint TAP on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.md
index 75fda807b3..a4cf1eb035 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **AWS WAF** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **AWS WAF**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x AWS WAF on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.md
index 26431bc1b8..1d6b35ce04 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Retarus Email Security** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Retarus Email Security**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Retarus Email Security on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.md
index 186d2199c0..00df074938 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Kubernetes Audit Log** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Kubernetes Audit Log**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Kubernetes Audit Log on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.md
index 1d62ab7530..1d4dcbfca1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Google VPC Flow Logs** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Google VPC Flow Logs**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Google VPC Flow Logs on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.md
index 1a128b48bd..9d382295d8 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cisco Duo Security** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cisco Duo Security**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco Duo Security on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.md
index fe90f6f00e..b7d97a20d0 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Fortinet FortiGate** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Fortinet FortiGate**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Fortinet FortiGate on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.md
index 55bd24a024..02f536416d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cloudflare Access Requests** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cloudflare Access Requests**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare Access Requests on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
index 43336649aa..c945da6365 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cisco NX-OS [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cisco NX-OS [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco NX-OS [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.md
index 3c13374b0c..2de266d200 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Azure Front Door** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Azure Front Door**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Azure Front Door on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2018-11776 Apache Struts2"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
index 4af978a2dd..ba15969a8c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **WALLIX Bastion** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **WALLIX Bastion**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x WALLIX Bastion on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json){ .md-button }
 ??? abstract "Address Space Layout Randomization (ASLR) Alteration"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.md
index d86d3169b3..ace8ae962e 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Ubika WAAP Gateway [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Ubika WAAP Gateway [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Ubika WAAP Gateway [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.md
index c38215b2f1..eb6a8b6586 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cisco IOS router and switch** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cisco IOS router and switch**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco IOS router and switch on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.md
index 3dd3b2b48d..8be24cedd7 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cloudflare Audit logs [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cloudflare Audit logs [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare Audit logs [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
index 77aaa9555a..476615f23a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Stormshield SNS** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Stormshield SNS**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Stormshield SNS on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.md
index 4db9024f83..337829a9e3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Ivanti / Pulse Connect Secure** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Ivanti / Pulse Connect Secure**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Ivanti / Pulse Connect Secure on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json){ .md-button }
 ??? abstract "Potential Azure AD Phishing Page (Adversary-in-the-Middle)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.md
index a3514a1305..cda01a689d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cloudflare Gateway DNS [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cloudflare Gateway DNS [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare Gateway DNS [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md
index ff3b407cef..886c0223b6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Varonis Data Security [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Varonis Data Security [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Varonis Data Security [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json){ .md-button }
 ??? abstract "Cron Files Alteration"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.md
index 6ac5e73559..250a8ed819 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Microsoft Always On VPN** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Microsoft Always On VPN**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Microsoft Always On VPN on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json){ .md-button }
 ??? abstract "RYUK Ransomeware - martinstevens Username"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.md
index 5e6ab43990..c9336243ee 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Github Audit logs [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Github Audit logs [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Github Audit logs [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json){ .md-button }
 ??? abstract "GitHub Delete Action"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.md
index b532f3fb27..9404553fd6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Vade Cloud [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Vade Cloud [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Vade Cloud [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.md
index a9ec50bf04..046e653645 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Microsoft 365 Message Trace** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Microsoft 365 Message Trace**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Microsoft 365 Message Trace on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.md
index db119a53ca..f14575cbdd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **OpenBSD Packet Filter** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **OpenBSD Packet Filter**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x OpenBSD Packet Filter on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.md
index aa39e8186a..2ab49dd8a1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Infoblox DDI** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Infoblox DDI**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Infoblox DDI on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.md
index b4d705e1a9..badfcc9b76 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.md
@@ -1,8 +1,14 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cisco ISE** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cisco ISE**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco ISE on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json){ .md-button }
+??? abstract "Cisco Identity Services Engine Configuration Changed"
+    
+    Cisco Identity Services Engine (ISE) has detected a device configuration changed (Added, Changed or Deleted). This should be reviewed in order to check if this an expected admin action.
+    
+    - **Effort:** master
+
 ??? abstract "RYUK Ransomeware - martinstevens Username"
     
     Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
index 8c679801ae..412f2122bc 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **SentinelOne Cloud Funnel 1.0 [Deprecated]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **SentinelOne Cloud Funnel 1.0 [Deprecated]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
index 052fa46a1f..96a4c39d1b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **TEHTRIS EDR** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **TEHTRIS EDR**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x TEHTRIS EDR on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
index 137b8526f5..af06da7fdd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Palo Alto NGFW** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Palo Alto NGFW on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.md
index 79d8e14057..912f29cab6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **ISC DHCP** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **ISC DHCP**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x ISC DHCP on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
index 836655bea6..437da4910a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Windows** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Windows**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Windows on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json){ .md-button }
 ??? abstract "AD Object WriteDAC Access"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.md
index 788dad1aea..96724d8243 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Darktrace Threat Visualizer [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Darktrace Threat Visualizer [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Darktrace Threat Visualizer [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json){ .md-button }
 ??? abstract "Darktrace Threat Visualizer Model Breach Critical Alert"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.md
index f41c60cda1..0ca5c21999 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cisco Meraki MX** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cisco Meraki MX**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cisco Meraki MX on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2018-11776 Apache Struts2"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
index 4b179f3f72..99484eda35 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Sophos Analysis Threat Center [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Sophos Analysis Threat Center [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Sophos Analysis Threat Center [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.md
index c7c153f1c2..ba2346d768 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Claroty xDome [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Claroty xDome [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Claroty xDome [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md
index 5f1094c0cd..b1983cf16b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cybereason EDR** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cybereason EDR**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cybereason EDR on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.md
index e4cc034c85..5655f75747 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Squid** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Squid**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Squid on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.md
index c0f9662c0a..5a9c6ba2c1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **BIND** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **BIND**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x BIND on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md
index f2ff9b30f1..ebcb149e31 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Jumpcloud Directory Insights** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Jumpcloud Directory Insights**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Jumpcloud Directory Insights on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.md
index a4dba43c1f..b09cf4e39d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Netwrix Auditor** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Netwrix Auditor**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Netwrix Auditor on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.md
index 75c29b57a3..018686a049 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **F5 NGINX** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **F5 NGINX**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x F5 NGINX on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.md
index 9b7d107c06..ab9ea108c1 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **FreeRADIUS** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **FreeRADIUS**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x FreeRADIUS on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json){ .md-button }
 ??? abstract "FreeRADIUS Failed Authentication"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.md
index 0c15697869..f04db56bbd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **NetFlow** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **NetFlow**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x NetFlow on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
index 60d128fdce..23cff8de3d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Trend Micro Cloud One / Deep Security** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Trend Micro Cloud One / Deep Security**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Trend Micro Cloud One / Deep Security on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md
index 49d6194939..7cd5c53797 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Trellix EPO [ALPHA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Trellix EPO [ALPHA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Trellix EPO [ALPHA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.md
index 0d174a08a4..ca8403fa2a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Gatewatcher AionIQ** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Gatewatcher AionIQ**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Gatewatcher AionIQ on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.md
index be032d696f..17e77c10ca 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cloudflare DNS logs** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cloudflare DNS logs**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare DNS logs on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.md
index 24182912f8..638f31c3ec 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Vectra Cognito Detect** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Vectra Cognito Detect**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Vectra Cognito Detect on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
index bdeb30a210..88cccdf549 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Elastic Winlogbeat** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Elastic Winlogbeat on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json){ .md-button }
 ??? abstract "Account Added To A Security Enabled Group"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.md
index 3639e04657..0853cc186b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Microsoft Intune** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Microsoft Intune**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Microsoft Intune on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json){ .md-button }
 ??? abstract "Microsoft Intune Non-Compliant Device"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.md
index 1ce04beb2f..4575e459d9 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Netfilter** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Netfilter**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Netfilter on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
index 578154319f..a47b74598d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Microsoft 365 / Office 365** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Microsoft 365 / Office 365**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Microsoft 365 / Office 365 on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json){ .md-button }
 ??? abstract "Account Added To A Security Enabled Group"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ccf942fe-c839-42be-a081-5c3f946e80f5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ccf942fe-c839-42be-a081-5c3f946e80f5_do_not_edit_manually.md
index f12f7ab5c5..a06ef59e6f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ccf942fe-c839-42be-a081-5c3f946e80f5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ccf942fe-c839-42be-a081-5c3f946e80f5_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **ReliaQuest GreyMatter/ Digital Shadows SearchLight** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **ReliaQuest GreyMatter/ Digital Shadows SearchLight**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x ReliaQuest GreyMatter/ Digital Shadows SearchLight on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ccf942fe-c839-42be-a081-5c3f946e80f5_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.md
index ec8fa0f8b5..9c1d40bab4 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **OGO WAF [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **OGO WAF [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x OGO WAF [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.md
index ef1916246d..6228fcf89b 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cloudflare Gateway Network [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cloudflare Gateway Network [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare Gateway Network [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
index 2422142ba7..52eac5aa4d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Salesforce [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Salesforce [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Salesforce [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2018-11776 Apache Struts2"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
index bfa46303da..fde146e5dd 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **AWS CloudTrail** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **AWS CloudTrail**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x AWS CloudTrail on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json){ .md-button }
 ??? abstract "AWS CloudTrail Config Disable Channel/Recorder"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.md
index e666c0264e..d3a6cb8878 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **ArubaOS Switch** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **ArubaOS Switch**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x ArubaOS Switch on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json){ .md-button }
 ??? abstract "RYUK Ransomeware - martinstevens Username"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.md
index 426a88d514..f7374d25d6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Rubycat PROVE IT** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Rubycat PROVE IT**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Rubycat PROVE IT on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
index 2dd6cb3d07..c6a7a3cc85 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **WatchGuard Firebox** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **WatchGuard Firebox**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x WatchGuard Firebox on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.md
index 615ddb5c89..dcf925b3dc 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Imperva WAF** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Imperva WAF**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Imperva WAF on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2018-11776 Apache Struts2"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.md
index d05d1da405..c7032f03b0 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Panda Security SIEM Feeder** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Panda Security SIEM Feeder**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Panda Security SIEM Feeder on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json){ .md-button }
 ??? abstract "Disable Workstation Lock"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.md
index 639e11554f..0e5b58425f 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Zscaler Internet Access [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Zscaler Internet Access [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Zscaler Internet Access [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json){ .md-button }
 ??? abstract "Bazar Loader DGA (Domain Generation Algorithm)"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
index 6e2f63703a..f7573b4140 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Netskope** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Netskope**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Netskope on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.md
index 76566078d6..938ba7784d 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Proofpoint PoD** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Proofpoint PoD**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Proofpoint PoD on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json){ .md-button }
 ??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e30f7bcc-7c55-4666-9d32-61a0aa75a2c3_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e30f7bcc-7c55-4666-9d32-61a0aa75a2c3_do_not_edit_manually.md
index e0157ba21e..eaa8b00901 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e30f7bcc-7c55-4666-9d32-61a0aa75a2c3_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e30f7bcc-7c55-4666-9d32-61a0aa75a2c3_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Pradeo Security MTD** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Pradeo Security MTD**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Pradeo Security MTD on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_e30f7bcc-7c55-4666-9d32-61a0aa75a2c3_do_not_edit_manually.json){ .md-button }
 ??? abstract "RYUK Ransomeware - martinstevens Username"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.md
index ec396fc523..e4125974e7 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Vade for M365** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Vade for M365**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Vade for M365 on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.md
index d26c915245..48f72f7ddf 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Okta** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Okta**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Okta on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json){ .md-button }
 ??? abstract "Jumpcloud Policy Modified"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
index 852f92f223..7533b2e1e7 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **IBM AIX** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **IBM AIX**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x IBM AIX on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
index c7697f88de..42b3f611a3 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **SonicWall Firewall [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **SonicWall Firewall [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x SonicWall Firewall [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json){ .md-button }
 ??? abstract "AdFind Usage"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.md
index 3f5487d1df..55a60642c0 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **WatchGuard Endpoint Security / Panda Security Aether** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **WatchGuard Endpoint Security / Panda Security Aether**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json){ .md-button }
 ??? abstract "Account Added To A Security Enabled Group"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.md
index e8284f6ac9..1df67ba18c 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Check Point NGFW** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Check Point NGFW**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Check Point NGFW on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json){ .md-button }
 ??? abstract "SEKOIA.IO Intelligence Feed"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.md
index f9aba94ba3..c5b7ad33b6 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Forcepoint Secure Web Gateway** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Forcepoint Secure Web Gateway**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Forcepoint Secure Web Gateway on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.md
index 09061df5ae..e6ab96d426 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **Cloudflare Gateway HTTP [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **Cloudflare Gateway HTTP [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x Cloudflare Gateway HTTP [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json){ .md-button }
 ??? abstract "Burp Suite Tool Detected"
diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
index 6b426ec1ff..74783bea3a 100644
--- a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
+++ b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md
@@ -1,6 +1,6 @@
 ## Related Built-in Rules
 
-Benefit from SEKOIA.IO built-in rules and upgrade **StormShield SES [BETA]** with the following detection capabilities out-of-the-box.
+The following Sekoia.io built-in rules match the intake **StormShield SES [BETA]**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
 
 [SEKOIA.IO x StormShield SES [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json){ .md-button }
 ??? abstract "AccCheckConsole Executing Dll"